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Abstract. Parametric timed automata extend the standard timed au¬ 
tomata with the possibility to use parameters in the clock guards. In gen¬ 
eral, if the parameters are real-valued, the problem of language emptiness 
of such automata is undecidable even for various restricted subclasses. We 
thus focus on the case where parameters are assumed to be integer-valued, 
while the time still remains continuous. On the one hand, we show that 
the problem remains undecidable for parametric timed automata with 
three clocks and one parameter. On the other hand, for the case with ar¬ 
bitrary many clocks where only one of these clocks is compared with (an 
arbitrary number of) parameters, we show that the parametric language 
emptiness is decidable. The undecidability result tightens the bounds 
of a previous result which assumed six parameters, while the decidabil¬ 
ity result extends the existing approaches that deal with discrete-time 
semantics only. To the best of our knowledge, this is the first positive 
result in the case of continuous-time and unbounded integer parameters, 
except for the rather simple case of single-clock automata. 


1 Introduction 

Timed automata [5] are a popular formalism used for modelling of real-time 
systems. In the classical definition, the clocks in guards are compared to fixed 
constants and one of the key problems, decidable in PSPACE [1], is the question 
of language emptiness. More than 20 years ago, Alur, Henzinger and Vardi [3] 
introduced a parametric variant of the language emptiness problem where clocks 
in timed automata can be additionally compared to a number of parameters. 
A clock is nonparametric if it is never compared with any of the parameters, 
otherwise the clock is parametric. The parametric language emptiness problem 
asks whether the parameters in the system can be replaced by constants so that 
the language of the resulting timed automaton becomes nonempty. 

Unfortunately, the parametric language emptiness problem is undecidable for 
timed automata with three parametric clocks [3]. Yet Alur, Henzinger and Vardi 
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Table 1: Decidability of the language (non)emptiness problems 



discrete time 
integer parameters 

continuous time 
integer parameters 

continuous time 
real parameters 

n clocks, m parameters 

1 parametric clock only 

decidable [3] 

decidable 

undecidable [15] 

3 clocks, 1 parameter 

undecidable 

undecidable 

undecidable |15| 

3 clocks, 6 parameters 

undecidable [3] 

undecidable [3] 

undecidable [3] 


established a positive decidability result in the case of a single parametric clock. 
This decidability result was recently extended by Bundala and Ouaknine [9] to 
the case with two parametric clocks and an arbitrary number of nonparametric 
clocks. Both positive results are restricted to the discrete-time semantics with 
only integer delays. The problem of decidability of integer parametric language 
emptiness in the continuous-time semantics has been open for over 20 years. 
The parametric language emptiness problem has two variants, which we call 
reachability (existence of a parameter valuation s.t. the language is nonempty) 
and safety (existence of a parameter valuation s.t. the language is empty). 

Our main contributions, summarised in Table [U are: (i) undecidability of 
the reachability and safety problems (in discrete and continuous-time semantics) 
for three parametric clocks, no additional nonparametric clocks and one integer 
parameter and (ii) decidability of the reachability and safety problems in the 
continuous-time semantics for one parametric clock with an arbitrary number of 
integer parameters and an unlimited number of additional nonparametric clocks. 
For reachability the problem is further decidable in NEXPTIME. 


Related work. Our undecidability result holds both for discrete and continuous 
time semantics and it uses only a single parameter with three parametric clocks, 
hence strengthening the result from [3] where six parameters were necessary for 
the reduction. In [9] the authors established NEXPTIME-completeness of the 
parametric reachability problem for the case of a single parametric clock but 
only for the discrete-time semantics. Parametric TCTL model checking of timed 
automata, in the discrete-time setting, was also studied in [8118] . Our decision 
procedure for one parametric clock is, to the best of our knowledge, the first one 
that deals with continuous-time semantics without any restriction on the usage 
of parameters and without bounding the range of the parameters. 

Reachability for parametric timed automata was shown decidable for certain 
(strict) subclasses of parametric timed automata, either by bounding the range of 
parameters [13] or by imposing syntactic restrictions on the use of parameters as 
in L/U automata [6112] . The study of parametric timed automata in continuous 
time with parameters ranging over the rational or real numbers showed undecid¬ 
ability already for one parametric clock or for two parametric clocks with 
exclusively strict guards [10] . We thus focus solely on integer-valued parameters 
in this paper. 
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Parametric reachability problems for interrupt timed automata were inves¬ 
tigated by Berard, Haddad, Jovanovic and Lime [7] with a number of positive 
decidability results although their model is incomparable with the formalism 
of timed automata studied in this paper. Other approaches include the inverse 
method of m where the authors describe a procedure for deriving constrains on 
parameters in order to satisfy that timed automata remain time-abstract equiv¬ 
alent, however, the termination of the procedure is in general not guaranteed. 

2 Definitions 

We shall now introduce parametric timed automata, the studied problems and 
give an example of a parametric system for alarm sensor coordination. 

Let No denote the set of nonnegative integers and R>o the set of nonnegative 
real numbers. Let C be a finite set of clocks and let P be a finite set of parameters. 
A simple clock constraint is an expression of the form a: cxi c where x € C, 
c G No U 7^ and ixi G {<,<,=,>,>}■ A guard is a conjunction of simple clock 
constraints, we denote the set of all guards by Q. A conjunction of simple clock 
constraints that contain only upper bounds on clocks, i.e. ex G {<, <}, is called 
an invariant and the set of all invariants is denoted by I. 

A clock valuation is a function n : C ^ R>o that assigns to each clock its 
nonnegative real-time age and parameter valuation is a function 7 : 7^ —^ No that 
assigns to each parameter its nonnegative integer value. Given a clock valuation v, 
a parameter valuation 7 and a guard (or invariant) g & G, we write 7 |= 5 
if the guard expression g, after the substitution of all clocks x G C with i'{x) 
and all parameters p G V with 7 (p), is true. By vq we denote the initial clock 
valuation where ^' 0 ( 2 ;) = 0 for all 2 : G C. For a clock valuation v and a delay 
d G M>o, we define the clock valuation v -\- dhy {v + d)(x) = iy(x) + d for all 
X G C. 

Definition 1 (Parametric Timed Automaton). A parametric timed au¬ 
tomaton (PTA) over the set of clocks C and parameters V is a tuple A = 
{E,L,£q,F,I,—>) where S is a finite input alphabet, L is a finite set of lo¬ 
cations, £0 G L is the initial location, F C L is the set of final (accepting) 
locations, I : L ^ I is an invariant function assigning invariants to locations, 
and —^GLxQxIJx 2^ xL is the set of transitions, written as £ £' 

whenever (£, g, a, R, £') G — 

For the rest of this section, let A = {E,L,£q,F,I,^) be a fixed PTA. We 
say that a clock x G C is a parametric clock in A if there is a simple clock 
constraint of the form x ex p with p G V that appears in a guard or an invariant 
of A. Otherwise, if the clock x is never compared to any parameter, we call it 
a nonparametric clock. 

A configuration of A is a pair (£, v) where £ G L is the current location and 
V is the current clock valuation. For every parameter valuation 7 we dehne the 
corresponding timed transition system Ty (A) where states are all configurations 
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(£, ly) of A that satisfy the location invariants, i.e. z/, 7 |= J(£), and the transition 
relation is defined as follows: 

— {£, v) A + d) where d S K>o if + d, 7 ^ I{i); 

— {£, v) A- {£', v') where a € S ii there is a transition £ £' in A such that 

v,^\= g and z ^',7 \= !{£') where for all a: G C we dehne z^'(a;) = 0 if a: G i? 
and v'(x) = v{x) otherwise. 


A timed language of A under a parameter valuation 7 , denoted by L^(A), is 
the collection of all accepted timed words of the form (oq, do)(ai, di)... (a„, d„) G 
(A X ]R>o)* such that in the transition system T^(A) there is a computation 

• • • {.£n, Vn) (C) K) {£n+l,’^n+l) 


{£ 0 , z/q) (^ 0 , ly'o) {£ 1 , 1 ^ 1 ) • 

where £n+i G P'- 

We can now define two problems for parametric timed automata, namely the 
reachability problem (reaching desirable locations) and safety problem (avoiding 
undesirable locations). Note that the problems are not completely dual, as the 
safety problem contains a hidden alternation of quantifiers. 


Problem 1 (Reachability Problem for PTA). Given a PTA A, is there a parameter 
valuation 7 such that L^{A) 0 ? 

Problem 2 (Safety Problem for PTA). Given a PTA A, is there a parameter 
valuation 7 such that Lj{A) = 0 ? 

We shall now present a small case study of a wireless fire alarm system m 
modelled as a parametric timed automaton. In the alarm setup, a number of 
wireless sensors communicate with the alarm controller over a limited number 
of communication channels (in our simplified example we assume just a single 
channel). The wireless alarm system uses a variant of Time Division Multiple 
Access (TDMA) protocol in order to guarantee a safe communication of multiple 
sensors over a shared communication channel. In TDMA the data stream is 
divided into frames and each frame consists of a number of time slots allocated 
for exclusive use by the present wireless sensors. Each sensor is assigned a single 
slot in each frame where it can transmit on the shared channel. 

We model each sensor as a timed automaton with two locations as shown 
in Figure [Tal and fTbl The sensor in Figure ITal waits in its initial location until 
it receives a wakeupi message from the controller. After this, it takes strictly 
between 2 to 3 seconds to gather the current status of the sensor and transmit it 
as resulti message back to the controller. Any subsequent wakeup signals during 
the transmission phase are ignored and after the transmission phase is finished, 
the sensor is ready to receive another wakeup signal. The sensor in Figure llbl 
has a more complex behaviour as transmitting the answer result 2 can take either 
strictly between 2 to 3 seconds, or 16 to 17 seconds. 

The controller presented in Figure [T^ is responsible for synchronising the two 
sensors and for assigning them their time slots so that no transmissions interfere. 
The parametric clock x of the controller determines the size of the time slots. 
First, it takes at most 2 seconds for the controller to wake up the Hrst sensor 
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(b) Sensor 2 (c) Controller with parameters pi and p 2 


Fig. 1: Wireless Fire Alarm System 


after which it waits until the elapsed time reaches the value of the parameter pi. 
If it receives the result of the reading of the first sensor in this time slot, it moves 
immediately into the next location where it performs the wakeup of the second 
sensor. If the first sensor does not deliver any result and the clock x reaches 
the value pi, it also moves to the next location. Now a symmetric control is 
performed for the second sensor. If any of the two sensors transmit during the 
time the controller transmits the wakeup signals, we enter the location fail. The 
fail location is also reached if result 2 is received in the time slot of the first sensor 
and vice versa. The second clock y is used to simply measure the duration of 
the whole frame; whenever the duration of the frame reaches 20 seconds, the 
controller enters the timeout location. 

We assume a standard handshake synchronisation of the controller and the 
two sensors running in parallel that results in a flat product timed automaton 
with two parameters pi and p 2 . Note that x is the only parametric clock in our 
example. Now, our task is to find suitable values of the parameters that guide 
the duration of the time slots for the two sensors so that there is no behaviour 
of the protocol where it fails or timeouts. This question is equivalent to the 
safety problem on the constructed PTA where we mark fail and timeout as the 
accepting (undesirable) locations. 

The obvious parameter valuation where 7 (pi) = 5 and 7 (^ 2 ) = 19 guarantees 
that the location fail is unreachable but it is not an acceptable solution as 
the duration of the frame becomes 24 and we reach timeout. However, there is 
another parameter valuation where 7 (pi) = 5 and 7 (^ 2 ) = 9 that guarantees 
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that there is no possibility to fail or timeout. This is due to the fact that if the 
response time of the second sensor is too long, it skips one slot and the answer 
fits into an appropriate slot in the next frame. 

In Section |4] we provide an algorithmic solution for finding such a parameter 
valuation that guarantees a given safety/reachability criterion. Note that as we 
are concerned with language (non)emptiness only, we employ two simplifications 
in the rest of the paper: First, we assume that the considered PTA have no 
invariants, as moving all invariants to guards preserves the language. Second, we 
assume that the alphabet is a singleton set as renaming all actions into a single 
action preserves language (non)emptiness. 


3 Undecidability for Three Parametric Clocks 

We shall now provide a reduction from the halting/boundedness problems of two 
counter Minsky machine to the reachability/safety problems on PTA. A Minsky 
machine with two nonnegative counters ci and C 2 is a sequence of labelled in¬ 
structions 1 : insti] 2 : inst 2 ', ... ,n : instn where instn = HALT and each insti, 
1 < i < n, is of one of the following forms (for r G {1,2} and 1 < j, k < n): 

— (Increment) i: Cr++\ goto j 

— (Test and Decrement) i\ if Cr=Q then goto k else (cr —; goto j) 

A configuration is a triple {i,vi,V 2 ) where i is the current instruction and 
vi,V 2 G No are the values of the counters ci and C 2 , respectively. A computation 
step between configurations is defined in the natural way. If starting from the 
initial configuration (1,0,0) the machine reaches the instruction HALT (note 
that the computation is deterministic) then we say it halts, otherwise it loops. 
The problem whether a given Minsky machine halts is undecidable |16] . The 
boundedness problem, i.e. the question whether there is a constant K such that 
vi + V 2 < K for any configuration {i,vi,V 2 ) reachable from ( 1 , 0 , 0 ), is also 
undecidable M- 

The reduction from a two counter Minsky machine to PTA with a single 
parameter p and three parametric clocks xi, X 2 and z is depicted in Figured 
The reduction rules are shown only for the instructions handling the first counter. 
The rules for the second counter are symmetric. We also omit the transition labels 
as they are not relevant for the emptiness problem. The reduction preserves the 
property that whenever we are in a configuration where v{z) — 0 then 

v{xi) and v{x 2 ) represent the exact values of the counters ci resp. C 2 , and the 
next instruction to be executed is the one with label i. Note also that there are 
no invariants used in the constructed automaton. 

Lemma 1. Let M be a Minsky machine. Let A be the PTA built according to 
the rules in Figures (without the transitions for safety) and where 

is the initial location and U is the only accepting location. The Minsky machine 
M halts iff there is a parameter valuation 7 such that Lry{A) 0. 
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(c) For safety, add this for every instruction i: ci++; goto j 
Fig. 2: Encoding of Minsky Machine as PTA with a single parameter p 


Proof (Sketch). We only sketch a part of the proof to show the basic idea. We 
argue that from the configuration {£i,v) where v{z) = 0 and where v{xi) and 
v{x 2 ) represent the counter values, there is a unique way to move from £i to £j 
(or possibly also to £k in the case of the test and decrement instruction) where 
again ^{z) = 0 and the counter values are updated accordingly. As there are 
no invariants in the automaton, we can always delay long enough so that we 
get stuck in a given location, but this behaviour will not influence the language 
emptiness problem we are interested in. 

Consider the automaton for the increment instruction from Figure [^a] and 
assume we are in a configuration (£i, v) where v{z) = 0, v(xi) = vi and v{x 2 ) = 
V 2 . First note that if > p then there is no execution ending in due to the 
forced delay of one time unit on the transition from £i to £\ and the guard Xi = p 


7 




















tested in both the upper and lower branch in the automaton. Assume thus that 
vi < p. If vi > V2 then we can perform the following execution with uniquely 
determined time delays: (£i, [a;i ^ vi,X2 U2,2: M- 0]) ^ + 

V2 + l,Z ^ 0 ]) ^ (£f, \xi !->■ 0 , 0:2 ^ p — Vi + V2, z ^ p — Vi — 1 ]) 

(£f, [xi ^ Vi — V2 tX2 ^ Q,Z ^ P — V2 — 1 ]) [xi ^ Vi — V2 + l,X2 ^ 

0,2:1—)• p — U2]) {ij, [xi !->■ ui + 1 , a:2 I— >• U2,2:1—>■ 0 ]). In this case where vi > V2, 

executing the lower branch of the automaton will result in getting stuck in the 
location as here necessarily iy{xi) > p. Clearly, there is a unique way of getting 
to £j in which the clock valuation of xi was incremented by one, hence faithfully 
simulating the increment instruction of the Minsky machine. The other cases 
and instructions are dealt with similarly, see Appendix □ 

Lemma 2. Let M be a Minsky machine. Let A he the PTA built according to the 
rules in Fiaures \ 2 al \ 2 b\ and[^ (including the transitions for safety) and where £i 
is the initial location and £acc is the only accepting location. The Minsky machine 
M is bounded iff there is a parameter valuation 7 such that L.y{A) — 0. 

Proof. If the computation of the Minsky machine is unbounded then clearly, for 
any parameter value of p, the Minsky machine will eventually try to make one of 
the counters larger or equal than p (using the increment instruction). Necessarily, 
we will then have ^{xi) = p or i'{x2) = p in the location £j where we end after 
performing the increment instruction j, implying that we can reach the accepting 
location £acc due to the transition added in Figure [23 and hence the language 
is nonempty. On the other hand, if the parameter p is large enough and the 
computation bounded (note that the boundedness condition 3 K. V1+V2 ^ K \s 
equivalent to 3 K. max{ui,U2} < AT), we will not be able to enter the accepting 
location £acc and the language is empty. □ 

We now conclude with the main theorem of this section, tightening the previ¬ 
ously known undecidability result that used six parameters and three parametric 
clocks [ 3 ]. The theorem is valid for both the continuous-time and the discrete¬ 
time semantics due to the exact guards in all transitions of the constructed PTA 
that allow to take transitions only after integer delays. 

Theorem 1. The reachability and safety problems are undecidable for PTA with 
one integer parameter, three parametric clocks and no further nonparametric 
clocks in the continuous-time as well as the discrete-time semantics. 

4 Decidability for One Parametric Clock 

In this section, we show that both the reachability and safety problems for PTA 
with a single parametric clock are decidable. Our general strategy is similar to 
that of [ 3 ], i.e. reducing the original PTA (which has continuous-time semantics 
in our case) into a so-called parametric 0 / 1 -timed automaton with just a single 
clock. It is shown in that the set of parameter valuations that ensure language 
nonemptiness of a given parametric 0/I-timed automaton with single clock is 




effectively computable. Moreover, in [5] the authors show that the reachability 
problem for parametric 0/1-timed automata is polynomial-time reducible to the 
halting problem of parametric bounded one-counter machines, which is in NP. 
As the parametric 0/1-timed automaton is going to be exponential in the size 
of the original PTA, this makes the reachability problem for PTA with a single 
parametric clock belong to the NEXPTIME complexity class. 

A 0/1-timed automaton is a timed automaton with discrete time, in which all 
the delays are explicitly encoded via two kinds of delay transitions: 0-transitions 
and 1-transitions. Formally, we enrich the syntax of a timed automaton with two 
transition relations A-, -4- C L x L and modify the semantics so that (£, i/) -4 

it'.v) iff £ -4 and {i,v) -4 -|- 1) iff £ ^ £'; other delays in the timed 

transition system are no longer possible. 

Note that this treatment of -4 and -4 as special transitions differs slightly 
from the original definition of [3], in which a 0/1 label is given to every tran¬ 
sition of the 0/1-timed automaton. This change is only cosmetic; the ability to 
distinguish between 0/ 1-transitions and action transitions will be useful in later 
proofs. 

Corner-Point Abstraction. As we are concerned with continuous time, our re¬ 
duction to 0/1-timed automata is more convoluted than that of [3], in which 
the nonparametric clocks were eliminated by moving their integer values into 
locations. In our setting, using region abstraction to eliminate nonparametric 
clocks will not allow us to correctly identify the 0/1 delays. We thus choose 
to use corner-point abstraction [4] that is finer than the region-based one. In 
this abstraction, each region is associated with a set of its corner points. Note 
that the original definition only deals with timed automata that are bounded, 
while we want to be more general here. For this reason, we extend the original 
definition with extra corner points for unbounded regions. 

We first dehne the region equivalence [2] . Let M gNq he the largest constant 
appearing in the constraints of a given timed automaton. Note that in the original 
definition the largest constant is considered for each clock independently. For the 
sake of readability, we consider M to be a common upper bound for each clock. 
Let ly, v' be clock valuations. Let further fr{t) be the fractional part of t and [£j 
be the integral part of t. We define an equivalence relation = on clock valuations 
hy V = u' if and only if the following three conditions are satisfied: 

— for all a; S C either v{x) > M and v'(x) > M or \y{x)\ = \y'{x)\] 

— for all x,y G C such that iy{x) < M and v{y) < M, fr{v{x)) < fr(v{y)) if 
and only if fr{v'{x)) < fr{v'{y))-, 

— for all a; G C such that v{x) < M, fr{v{x)) = 0 if and only if fr(y'{x)) = 0. 

We define a region as an equivalence class of clock valuations induced by =. 
A region r' is a time successor of a region r if for all n G r there exists d G R>o 
such that V -\- d G r' and for all d', 0 < d' < d, we have v -\- d' G r U r'. As the 
time successor is unique if it exists, we use succ(r) to denote the time successor 
of r. Moreover, if no time successor of r exists, we let succ(r) = r. 
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(a) Corner points where 
M = 2 and C = {x, y} 


-e- ■ .o- 



■e- ■.o- 


(b) Fragment of an evolution of a region with a corner 
point (locations are omitted for simplicity) 


Fig. 3: Corner point abstraction 


An (M~^^)-corner point a : C —> Nq H [0, M+1] is a function which assigns an 
integer value from the interval [0,M+ 1] to each clock. We define the successor 
of the M+^-corner point a, denoted by succ{a), as follows: 


for each x € C, succ{a){x) 


a{x) + 1 a{x) < M 
M + 1 otherwise . 


For R CC,we define the reset of the corner point a, denoted by a[R], as follows: 

r 1 rm/ ^ I “( 2 ^) X ^ R 

for each x G C, a i? (a;) = < 

^ ^ |0 xGR. 

We say a is a corner point of a region r whenever a is in the topological closure 
of r. The construction of the corner-point abstraction is illustrated in Figure [31 
Notice the corner points in unbounded regions. 


Construction of the Parametric 0/1-Timed Automaton. Now we show how to 
construct for a given PTA with one parametric clock an equivalent 0/1-PTA 
with just one clock. Let A = (A, L, £0, F, I, -^) be the original PTA over the set 
of clocks C and parameters V. Let Xp denote the only parametric clock. 

We first modify the automaton by adding a fresh clock z as follows: every 

transition i P is changed into i > I' where Pt! = R\i Xp ^ R, 

and R' = RC {z} otherwise. To every location £ we then add a new self-loop 

transition i - - ^> £. Intuitively, the new clock z will always contain the 

fractional part of Xp. We call this new automaton A!. Clearly, this modification 
preserves the language (non)emptiness of the original automaton A. 

In the second step, we use the corner-point abstraction of A' with respect to 
all clocks except for Xp to create the 0/1-timed automaton with a single clock. 
Let C = (C U {z}) \ {xp} and let M be the largest constant appearing in the 
guards concerning the clocks in C. In the following, we consider regions and 
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corner-points with respect to clocks in C and the bound M. Let Reg denote the 
set of all such regions and let Cp denote the set of all corresponding corner-points, 
i.e. Cp = (No n [0,M + l]f. 

We use the following auxiliary notation. Let r G Reg and a G Cp. 

{ LESS ot{z) = 1 and r ^ z = 1 

MORE a{z) = 0 and r ^ z = 0 

EX A C T otherwise 

The 0/1-timed automaton over the singleton set of clocks {xp} is A = (if, Lx 
Reg X Cp,{£o,ro,ao),F x Reg x Cp,I,^) where tq is the initial region and 
ao(x) = 0 for all x G C is the initial corner-point. The transition relation is 
defined as follows: 

— zero delay: (£, r, a) (£, r', a) if r' = succ(r) and a is a corner-point of both 
r and r'; 

— unit delay: (£, r, a) -4- (£, r, a') if a' = succ(a) and both a and a' are corner- 
points of r; 

— action: whenever £ £' in A' then let gi, ..., gk be all the simple clock 

constraints appearing in g comparing clocks from C and let hi, ..., be 
the remaining simple clock constraints, i.e. those that consider Xp. For every 
{£, r, a) that satisfies (1) r \= gi A ■■■ A gk and (2) if t(r, a) ^ EXACT then 

no hi contains equality (=), we set {£,r,a) (£', r[i?\{xp}], a[i?\ 

{xp}]), where R = {xp} if Xp G i? and R = % otherwise. The constraints hi 
are created as follows: all Xp are changed into Xp; if L{r,a) = LESS, all < 
are changed into < and all > are changed into >; if i{r,a) = MORE, all < 
are changed into < and all > are changed into >. 

Theorem 2. The reachability and safety problems for parametric timed au¬ 
tomata over integer parameters with one parametric clock in the continuous-time 
semantics are decidable. Moreover, the reachability problem is in NEXPTIME. 

Proof (Ldea). Due to space constraints, the complete proof can be found in Ap¬ 
pendix m As mentioned above, the modification from A to A! preserves the 
language (non)emptiness. The idea of the proof is to show that for every given 
parameter valuation, every run of A' has a corresponding run in A and vice versa. 
This shows that the reachability and safety problems for parametric timed au¬ 
tomata with one parametric clock reduce to the reachability and safety problems 
for parametric 0/1-timed automata. These problems were shown decidable in [3]. 
The complexity argument is discussed in the beginning of this section. □ 

5 Conclusion 

We have shown that for three parametric clocks with a single integer parame¬ 
ter, both the reachability and safety problems are undecidable in the discrete 
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as well as the continuous semantics. This improves the previously known unde¬ 
cidability result by Alur, Henzinger and Vardi [3] where six parameters were 
needed. For the case with a single parametric clock with an unrestricted num¬ 
ber of integer parameters and with any number of additional nonparametric 
clocks, we contributed to the solution of an open problem stated more than 20 
years ago by proving a decidability result for reachability and safety problems 
in the continuous semantics, extending the previously known decidability result 
for the discrete-time semantics [3]. To achieve this result, we used the corner- 
point abstraction technique that had to be modified to handle also corner-points 
in unbounded regions, contrary to the use of the technique in [4]. Not surpris¬ 
ingly, the decidability of the problem in case of two parametric clocks in the 
continuous-time setting remains open, as it is the case also for a number of other 
problems over timed automata with two real-time clocks On the other hand, 
as demonstrated by our wireless fire alarm case study, the parameter synthesis 
problem for one parametric clock and an unlimited number of parameters is suffi¬ 
ciently expressive in order to describe nontrivial scheduling problems. As a next 
step, we will consider moving from corner-point regions into zones and provide 
an efficient implementation of the presented techniques. 
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A Appendix: Proof of Lemma [T] 

Lemma [T} Let M be a Minsky machine. Let A he the PTA built according to 
the rules in Figures and\^ (without the transitions for safety) and where £i 
is the initial location and in is the only accepting location. The Minsky machine 
M halts if and only if there is a parameter valuation 7 such that L.y{A) ^ 0. 

Proof. We shall first argue that from the configuration where v{z) = 0 

and where h'(xi) and h'{x 2 ) represent the counter values, there is a unique way to 
move from £i to £j (or possibly also to ik in case of test and decrement instruction) 
where again z/(z) = 0 and the counter values are updated accordingly. As there 
are no invariants in the automaton, we can always delay long enough so that we 
get stuck in a given location, but this behaviour will not influence the language 
emptiness problem we are interested in. 

Consider first the automaton for the increment instruction from Figure I2al 
and assume we are in a configuration where iy{z) = 0, v{xi) = vi and 

v{x 2 ) = V 2 . First note that if m > p then there is no execution ending in £k due 
to the forced delay of one time unit on the transition from £i to £} and the guard 
xi = p tested in both the upper and lower branch in the automaton. Assume 
thus that vi < p. If vi > V 2 then we can perform the following execution with 
uniquely determined time delays: 


(£i, [xi !-)• Vi,X2 ^ V2,Z^ 0 ]) ^ 

(£), [xi !->• + 1,X2 !->• ti2 + 1,Z !->■ 0]) 

{£^,[Xl ^ \i,X2 ^ p — Vl + V2,z ^ p — Vl — IJ) ->■ 

{£), [xi ^ Vi - V2,X2 ^ Q, z ^ p - V2 - 1 ]) ^ 

{£), [xi 1 -^ Vl — V2 + I, X2 0 , z 1 -^ p — ^2]) ^ 

{£j, [xi ^ Vi + l,X2 ^ V 2 ,Z !->• 0 ]). 


In this case where vi > V 2 , executing the lower branch of the automaton will 
result in getting stuck in the location as here necessarily i'(xi) > p. Assume 
now that vi < V 2 . If we take upper branch in the automaton now then we get 
stuck. However, we can execute along the lower branch as follows: 

(£i, [xi 'yi,a:2 ^ V 2 ,z ^ 0]) -4 

{£], [Xl ^ Vl + l,X2 ^ V2 A I, z ^ 0]) - ^> 

{£\, [xi ^ p — V 2 + Vl,X 2 !->■ 0, Z !->■ p — W2 — 1]) -4 

(£4 [xi^ p - V2+Vi + l,X2^ Q,z ^ p - V2]) - ^> 

(£), [xi I— 0 , X2 I—>■ "^2 — Wl — 1, Z I—7- p — Wl — 1]) 

{£j, \xi !->■ ui + 1, 2:2 !->■ V 2 , z 0]). 
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In both cases, it is clear that the clock valuation of xi was incremented by one 
(due to uniquely given time delays during the computations) and hence they 
faithfully simulate the behaviour of the Minsky machine. 

Regarding the automaton for test and decrement instruction from Figure [2bl 
assume we are in the configuration with v(xi) = vi, v{x 2 ) = V 2 and 

v{z) = 0. It is clear that if ui = 0 then we continue from location ik as expected 
and if >0 then we can enter the configuration (£j,xi vi,X 2 V 2 ,z 0)— 
note that the guard z = 0 guarantees that no time has elapsed. In the latter 
case, if vi > V 2 then we can execute the upper branch as follows: 


(£), Xl !->■ Wl , X2 !->■ W2, Z !->• 0) 

{ii, Xi ^ 0,X2 ^ p — Vi -\- V 2 , z ^ p — Vi) 

{£\, Xi ^ 0,X2 ^ p — Vi + V 2 + l,z ^ p — Vi + 1) - ^> 

, Xi ^ Vi — V 2 — l,X 2 ^ £i,z ^ p — V 2 ) ^ 
{£j,Xi ^ Vi — l,X2 ^ V2,Z !->• 0) 

and if vi < V 2 we can execute the lower branch as follows: 


{£l,Xi 1-^ Vi,X 2 V 2 ,Z 1-^ 0 ) 

{£i, Xi 1-^ P — V2 + Vi, X2 0 , Z 1-^ P — V2) 

1 

(£i , Xi 1-^ 0 ,X 2 V 2 — Vi, Z 1-^ P — Vi) ^ 

(£\, xi ^ £),X2 ^ V2 — vi + \,z ^ p — vi + \) 

(£j,Xi I—>■ Wi — 1 , 0:2 1 -^ V 2 , Z 1 -^ 0 ). 

Clearly, the clock value in xi has been decremented in both cases. Should the 
lower branch be taken in case vi > V 2 or the upper branch in case vi < V 2 , we 
get stuck again. 

Now if the Minsky machine halts then in the constructed PTA we can reach 
the accepting location £n for any parameter valuation 7(p) larger than the maxi¬ 
mum value of the counters during the computation and the answer to the reach¬ 
ability problem is hence positive. If, on the other hand, the Minsky machine 
loops then there is no parameter valuation ■j{p) that will allow us to reach the 
location £n. This is due to the fact that either one of the counters exceeds the 
chosen parameter value and we get stuck or the computation will continue for 
ever and never reach □ 


B Appendix: Proof of Theorem [2] 

Theorem!^ The reachability and safety problems for parametric timed automata 
over integer parameters with one parametric clock in the continuous-time seman¬ 
tics are decidable. Moreover, the reachability problem is in NEXPTIME. 
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The semantics of a 0/1-timed automaton is similar to that of a timed au¬ 
tomaton except for the fact that the delays are explicitly given by the 0/1-delay 
transitions and the valuations of clocks are natural numbers. In our case we have 
only one clock, Xp, which means that a configuration of A is a tuple {£,r,a,t) 
where {£, r, a) is a location of A and < € No represents the valuation of Xp. 

Note that the 0/1-delay transitions in A are always deterministic and exclu¬ 
sive: every location {£, r, a) either has an outgoing 0-delay transition or an out¬ 
going 1-delay transition, but not both. Moreover, after a 1-delay transition there 
always follows a 0-delay transition, except in the case when the 1-delay transition 
ends in the unbounded region. 

Recall the t(r,a) notation for r G Reg and a G Cp: 

{ LESS a(z) = 1 and r ^ z = 1 

MORE a{z) = 0 and r ^ z = 0 

EXACT otherwise 

In order to prove the correctness of our construction, we also define an aux¬ 
iliary notion of correspondence. Let ^ : (C U {z}) —M>o, r G Reg, a G Cp, and 
t G Nq. We say that v corresponds with {r,a,t) if the following holds: 

1. G r; 

2. [i/(xp)J -I- f{r,a) = t, where f{r,a) = 1 if i(r, a) = LESS and f{r,a) = 0 
otherwise; 

3. iy(xp) G No ^ t(r,a) = EXACT. 

In the following, let us fix a valuation of all parameters of V. We are going to 
show that all runs of A' have corresponding runs in A and vice versa. Note that 
due to the construction of A', we shall ignore all runs in which the new clock 2; 
becomes larger than 1, as such situations are effectively deadlocks. 

Lemma 3. Let {£, v) he a configuration of A' with n{z) < 1, let {£, v) A {£, v+d) 
he a delay transition with d € [0,1 — n(z)], and let (r, a, t) G Reg x Cp x No sueh 
that V corresponds with (r, a, t). Then {£, r, a, t) —>* (£, r',a', t') such that v + d 
corresponds with (r',a',t'). 

Proof. For simplicity, we assume that d is small enough in the following sense: 
Either v and v + d (restricted to clocks of C) are in the same region, or the region 
of -I-d is a successor of the region of v. This comes without loss of generality, as 
every delay transition can be split into finitely many such small delay transitions. 
We also assume that d > 0. 

If both and -I-d) 1"^ belong to r then clearly [^^(ccp)-|-dj = [v{xp)\ and 
neither of v(xp) and v{xp) -I- d belong to Nq. This means that v + d corresponds 
with (r, a, f). 

Let us now assume that v\g ^r and {v -I- d) 1"^ G r' where r' is the successor 
of r. There are two possibilities depending on whether {£, r, a) has a 0-delay or 
a 1-delay transition. 
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If {£, r, a) {£, r', a), this means that also {£, r, a, t) {£, r', a, t). We show 
that V + d corresponds with {r',a,t). Condition 1 is clearly satisfied. To show 
the satisfaction of Conditions 2 and 3, we need to discuss three cases: 

— iy{z) = 0: This means that necessarily r \= z = 0 and a{z) = 0, thus 

i(r, a) = EXACT and b{r',a) = MORE. Therefore f{r,a) = f(r',a) = 0 
and the conditions are clearly met as +(ij = and i^(xp) + d ^ 

No. 

— b'iz) € (0,1 — d): This means that necessarily neither r nor r' contain 
a valuation with integer value for z and thus t(r,a) = L{r',a) yf EXACT. 
This means that f(r,a) = f{r',a) and the conditions are clearly met as 
\v(xp) + dj = \y(xp)\ and both v{xp), Jz^Xp) + d ^ Nq. 

— iy{z) = I — d: This means that necessarily r' \= z = 1 and a{z) = 1, thus 
i(r,a) = LESS and i(r',a) = EXACT. This means that f(r,a) = 1 while 
f{r',a) = 0. We have \v{xp) + dj = \y{xp)\ + 1 and v{xp) + d € No, the 
conditions are thus met again. 

If {£,r,a) ^ {£,r,a') then also {£,r,a') {£,r',a') as noted above (due to 

the bound on i^{z), r is not the unbounded region). This means that {£, r, a, t) A-h 
{£, r', a',t + l). Here, a' is the successor of a and r' is the successor of r. We show 
that V + d corresponds with (r', a', t + I). Again, Condition I is clearly satisfied. 
Note that in this case r ^ z = 0 and a{z) = 0. This means that a'{z) = I, 
i{r, a) = MORE, t(r, a') = LESS, f{r, a) = 0, and f{r, a') = I. This also means 
that i'{z) > 0 and we only have two cases: 

— h'(z) € (0,1 — d): This means that r' ^ z = 1 and thus L{r',a') = LESS. 

Condition 3 is clearly satisfied as i^(xp) + d ^ Nq. To show that Condition 2 

is satisfied, consider that f{r',a') = 1 and [i^ixp) + dj = \ v{xp)\. 

— v{z) = 1 — d: This means that r' |= z = I and thus 6 (r',Q;') = EXACT. 

Condition 3 is clearly satisfied as v{xp) + d G Nq. To show that Condition 2 

is satisfied, consider that f{r', a') = 0 and [iz{xp) +dj = [iz{xp)\ +1 =t + l. 

□ 

Lemma 4. Let {£,v) he a configuration of A' with v{z) < 1, let {£,y) A- {£',v') 
he an action transition, and let (r, a, t) G Reg x Cp x No such that v corre¬ 
sponds with {r,a,t). Then {£,r,a,t) A- {£',r',a',t') such that v' corresponds 
with (r', a', t'). 

Proof. The transition {£, v) A {£', v') is due to a transition £ £' of the 

timed automaton Ad where n \= g and v' = nlR]. Let now gi, ..., g^ be all 
the simple clock constraints of g that consider clocks from C and hi, ..., hn be 
the remaining simple clock constraints, as in the construction of the 0 / 1 -timed 
automaton A. We know that r \= gi £\ ■ ■ ■ gu as i'\g G r. We thus know that 

{£,r,a) h„,a,k^ (£', r[i? \ {xp}], Q;[i? \ {xp}]) = {£',r',a'), where hi and R 

are given by the construction. We first need to show that t satisfies all clock 
constraints R. 
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— lihi = (xp < e) then ly(xp) < e and thus [i^(a;p)J < e — 1. If i{r,a) = LESS 
then f{r, a) = 1 and t < (e — 1) + 1 = e, which satisfies the constraint 
hi = (aip < e). Otherwise, f{r,a) = 0 and t < e — 1, which satisfies the 
constraint hi = {xp < e). 

— If hi = (a;p < e) then v{xp) < e. If v{xp) = e then i{r,a) = EXACT. Thus 
f{r,a) = 0 and t = e, which satisfies Xp < e. Otherwise, i'{xp) < e. Due to 
the reasoning in the previous item, t < e if (.(r, a) = LESS and t < e — I 
otherwise. This means that t satisfies hi. 

— The other two cases (>, >) are dealt with similarly. 

We have thus shown that the transition {£,r,a,t) A {£',r',a',t') exists. Here, 
t' = 0 a Xp € R and t' = t otherwise. 

We now show that v' corresponds with {r',a',t'). Condition I is clearly sat¬ 
isfied. li t' = t then both Xp,z ^ R, which means that both v{xp) and i{r,a) 
are unchanged. If t' = 0 then Xp,z G R, which means that i^(xp) = 0, i(r', a') = 
EXACT and f{r',a') = 0. In both cases, C corresponds with {r',a',t'). □ 

Lemma 5. Let {£,r,a,t) be a configuration of A, let {£,r,a,t) A (£,r',a',t') 
with d G {0,1} and r' \= z < 1, and let v correspond with {r,a,t). Then there 

exists d' such that {£, v) —> {£, v X d') and v + d' corresponds with (r', a', t'). 


Proof. If d = I, we choose d' = 0 and show that n + 0 = n corresponds with 
{r',a',t + I). Clearly, in this case r' = r, a{z) = 0, and a'{z) = I, which means 
that i{r,a) = MORE while i{r,a') = LESS. Therefore, f{r,a) = 0, f{r,a') = I 
and if [i^(xp)J = t then [i'{xp)\ -I- I = t -I- I. 

Let us now assume that d = 0. This means that a' = a while r' is the 
successor region of r. We choose an arbitrary d' such that {v + d')\^ G r'. To 
show that u + d' corresponds with (r', a, t), we can use the very same reasoning 
as in the proof of Lemma [31 □ 

Lemma 6. Let {£, r, a, t) be a configuration of A with r \= z < 1 , let (£, r, a, t) 

{£',r',a',t'), and let v correspond with (r,a,t). Then {£,v) (£'^v') and v' 

corresponds with (r',a',t'). 


Proof. The transition {£, r, a, t) A- (£', r', a', t') in the semantics is due to a tran¬ 


sition {£, r, a) 


h\/\---hn,a,R 
-^ 


{£',r',a') of the 0 /I-timed automaton A, which was 


constructed from a transition £ £' of the timed automaton A'. 

Clearly, if r |= gi A ■■■ gk then so does n. We also need to show that n ^ 
hi A ■ ■ ■ hn- We know that t satisfies hi for all i. 


— li hi = (Xp < e) then either 6 (r, a) = LESS and hi = (ip < e) or hi = 
(ip < e). In the first case, we know that f{a,r) = I, which means that 
[z^(a:p)J -|- I = t, which implies that v{xp) < t < e. In the second case, 
/(a,r) = 0 which means that [j^(a:p)J = t and thus v{xp) < t + 1 < e as 
t < e - I. 
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- li hi = (xp < e) then either i(r, a) = MORE and hi = (ip < e) or hi = 
(ip < e). In both cases, if t < e then t < e — 1 and thus [i^(a;p)J + f{r, a) < 
e — 1. This means that no matter the value of /(r, a), i^(xp) < e. If, in the 
second case, t = e then [i/(a:p)J + f{r,a) = e. If f{r,a) = I then v{xp) < e. 
If f{r,a) = 0 then this means that i{r,a) = EXACT and v{x-p) = e as 
v{xp) e Nq. 

— The remaining two cases (>, >) are dealt with similarly. 

We now need to show that v' = corresponds with This is 

shown exactly as in the proof of Lemma 01 □ 

The correctness of the construction is now a corollary of the previous four 
lemmata; this proves the main theorem. 
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